Some applications might want to execute gpg without requiring a
transition. A possible use case is to allow applications to validate
signatures (made by GnuPG). As long as the application doesn't need to
generate signatures itself and its trustdb is not marked as
gpg_secret_t, it suffices to grant it gpg_exec().
Note that it does require the application to have read/write rights in
the directory where the trustdb is stored (as gpg tries to generate lock
files where the trustdb file is located).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
Chris PeBenito
Chris PeBenito
Sven Vermeulen
Dominick Grift